AVideo YouTubeAPI Plugin Stored XSS via snippet.title

Stored XSS vulnerability in AVideo YouTubeAPI plugin: `snippet.title` from YouTube Data API is rendered without HTML encoding in gallery cards, allowing an attacker who controls a YouTube video matching the operator's search query to inject arbitrary JavaScript.

All AVideo instances with the YouTubeAPI plugin enabled and `showGallerySection=true` (default). Visitors and administrators loading pages that render the gallery are affected.

Disable the YouTubeAPI plugin or set `showGallerySection=false` until a patched version is deployed. Alternatively, apply HTML encoding to all `$youtubeTitle` outputs in `plugin/YouTubeAPI/gallerySection.php`.